SocGholish Deploying a Python-based Backdoor Linked to RansomHub Affiliate

Summary

eSentire discovered a cyberattack involving SocGholish (also known as FakeUpdates) malware, which was used to gather system information and deliver a zip archive containing a Python-based backdoor linked to RansomHub affiliates. Emerging in 2024, RansomHub is a Ransomware-as-aService (RaaS) operation that focuses on high-profile targets and promotes its services on the Dark Web forum RAMP (Russian Anonymous Marketplace).

Technical Analysis

Initial access was achieved when the victim visited a compromised WordPress site, butterflywonderland[.]com, which displayed a fake prompt instructing them to update Microsoft Edge. Upon following the instructions, the victim downloaded an “Update.zip” file containing the SocGholish JavaScript file, “Update.js.”

This script’s primary function is to send a POST request to the SocGholish command and control (C&C) server at “hxxps://exclusive.nobogoods[.]com/updateStatus” to fetch the next stage payload, which it then executes using the eval() function.

The deobfuscated version of the script is shown below.

After initial infection, SocGholish collected key system details — including domain, username, computer name, and processor architecture — and transmitted the data to its C&C server through URL-encoded HTTP POST requests. This reconnaissance aimed to help threat actors strategically select viable targets while avoiding detection by researchers and sandbox environments. Additional activities included:

• Using the LOLBin net.exe to gather network connection information, which was sent back to the C&C.

• Executing the systeminfo command to collect system details, also exfiltrated via HTTP POST.

• Enumerating Active Directory servers using a PowerShell command.

• Exfiltrating browser "Login Data" files from Microsoft Edge and Google Chrome through PowerShell.

• Extracting encryption keys used to protect saved credentials, cookies, and credit cards from browsers and sending them to the C&C.

After retrieving the Python-based backdoor, SocGholish executed several commands to set up and run the payload. First, it renamed a temporary file into a ZIP archive to disguise the backdoor:

• Rename Command:
  cmd.exe /C rename "c:\programdata\rad.tmp" "python3.12.zip"

Next, SocGholish unpacked the contents of the ZIP archive into the C:\programdata directory. This extracted the backdoor and its supporting files:

• Unpack Command:
  cmd.exe /C tar -xf c:\\programdata\\[python3.12.zip](http://python3.12.zip) -C C:\\programdata & dir c:\\programdata\\python3.12\\ > "C:\\Users\\user\\AppData\\Local\\Temp\\rad.tmp"

Then, the malware created a scheduled task to launch pythonw.exe, ensuring persistence and execution of the backdoor. Notably, no specific script was provided, indicating that the backdoor automatically loads when pythonw.exe runs:

• Scheduled Task Creation Command:
  cmd.exe /C powershell -c "" > "C:\Users\user\AppData\Local\Temp\rad97DD4.tmp"

Once unpacked, the python3.12 directory contained a Python archive named fcrapvim.pyz (the obfuscated backdoor), along with critical dependencies like _socket.pyd, socket.pyd, and select.pyd.

Upon execution, the Python backdoor invoked a function called pc_start, which decrypted an embedded payload string and performed evasion checks. Specifically, it looked for signs of virtualization (e.g., "vm" or "virtual" in the platform name) and attempted to detect debugging activities by checking /proc/self/status. If any anti-analysis conditions were met, the malware immediately terminated.

After successful decryption, the backdoor connected to the attacker's command server at 38.146.28[.]93. The malware was capable of establishing SOCKS proxy tunnels, allowing the threat actors to route traffic through the compromised machine for internal reconnaissance or lateral movement.

The start_transferring function handled unpacking network connection commands from the attacker's server, enabling the backdoor to dynamically proxy traffic to any specified IP or domain.

Recommendations

• Turn on the automatic software update feature on your computer, mobile, and other connected devices.

• Use reputable anti-virus and internet security software on your connected devices, including your PC, laptop, and mobile device.

• Refrain from opening untrusted links and email attachments without first verifying their authenticity.

• Educate employees on protecting themselves from threats like phishing/untrusted URLs.

• Block URLs that could be used to spread malware, e.g., Torrent/Warez.

• Monitor the beacon on the network level to block data exfiltration by malware or TAs.

• Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

Conclusion

The SocGholish malware campaign highlights the sophisticated tactics used by attackers to establish persistent access within target networks. Through multi-layered encryption, evasion checks, and the use of common system tools for execution, the attackers maintain stealth and evade detection. By utilizing a SOCKS proxy, the backdoor enables extensive reconnaissance and lateral movement across compromised systems. This underscores the need for advanced detection and proactive network monitoring to defend against such persistent and evolving threats.